Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of January 2018

New Detection Technique – MeltDown

On January 3rd, 2018, researchers from Google, academic institutions, and private companies publicly revealed two security flaws – Spectre and Meltdown – that exist within nearly every Intel CPU built since 1995. The details of the vulnerabilities are outlined in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

MeltDown can break down the isolation amongst operating systems, and Spectre can break down the isolation amongst different applications. This is achieved by a timing evaluation of the speculative execution of processes.

Qarallex is the name of the new Remote Access Tool and information stealer developed by Qaverse. It is built around an open-source software known as LaZagne. It allows an attacker to execute a wide variety of actions such as catching mouse, keyboard and camera inputs, recording the screen display, or stealing sensitive pieces of data from the machine. Qaverse group's objective is to sell the functionality of this tool as a RaaS (RAT as a Service).

Infected machines will send HTTPS traffic to the domain vvrhhhnaijyj6s2m.onion[.]casa. It's written in Java. The malware performs a total of 4 HTTPS accesses to the C&C server after installation, in which they provide host information such as running OS, hardware statistics, or user information.

We've added the following correlation rule to detect this activity:

System Compromise, Malware RAT, Qarallex RAT

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

System Compromise, C&C Communication, APT32 SSL Certificate

System Compromise, C&C Communication, MalDoc SSL activity

System Compromise, C&C Communication, Meterpreter SSL Certificate

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity: